openwrt / firewall4 Goto Github PK

Firmware Selector

binutils bzip2 diff find flex gawk gcc-6+ getopt grep install libc-dev libz-dev
make4.1+ perl python3.7+ rsync subversion unzip which

# rule A
config rule
	option name 'dont track DNS queries'
	option src 'lan'
	option dest_port '53'
	option target 'NOTRACK'
# rule B
config rule
	option name 'dont track DNS queries'
	option src_port '53'
	option dest 'lan'
	option target 'NOTRACK'


	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifname "br-lan" jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"
	}

	chain notrack_lan {
		tcp dport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp dport 53 counter packets 1298 bytes 91957 notrack comment "!fw4: dont track DNS queries"
	}

      iifname "br-lan" fib daddr . iif type local  jump notrack_lan comment "!fw4: Handle lan IPv4/IPv6 notrack traffic"

	chain raw_output {
		type filter hook output priority raw; policy accept;
		oifname "br-lan" jump notrack_output_lan comment "!fw4: Handle lan IPv4/IPv6 notrack output traffic"
	}
	chain notrack_output_lan {
		tcp sport 53 counter packets 0 bytes 0 notrack comment "!fw4: dont track DNS queries"
		udp sport 53 counter packets 921 bytes 73525 notrack comment "!fw4: dont track DNS queries"
	}


	add firewall rule
	set firewall.@rule[-1].name='Forward-auth-captive'
	set firewall.@rule[-1].src="captivezone"
	set firewall.@rule[-1].dest='wan'
	set firewall.@rule[-1].proto='any'
	set firewall.@rule[-1].target='ACCEPT'
	set firewall.@rule[-1].ipset='captive'
 
	add firewall ipset
	set firewall.@ipset[-1].name='captive'
	add_list firewall.@ipset[-1].match='src_mac'

table inet fw4 {
	set captive {
		type ether_addr
		elements = { }
        }

	chain forward_captivezone {
		meta nfproto ipv4 ether saddr @captive counter packets 111598 bytes 30867442 jump accept_to_wan comment "!fw4: Forward-auth-captive"

config redirect
        option target 'DNAT'
        option name 'IP1-IP2'
        option family 'ipv4'
        option src 'lan'
        option ipset 'IPSET1'
        option dest_ip 'IP2'
        list proto 'all'

chain dstnat_lan {
        ip daddr @IPSET1 counter packets 0 bytes 0 dnat ip to IP2 comment "!fw4: IP1-IP2"
}

chain user_pre_output_nat {
    type nat hook output priority -1; policy accept;
    ip daddr @IPSET1 counter dnat ip to IP2
}

        "zone": [
                {
                        ".description": "test zone",
                        "name": "test1",
                        "log": 1,
                        "log_limit": "1/min"
                }
        ],
        "rule": [
                {
                        ".description": "src test1 log",
                        "proto": "tcp",
                        "src": "test1",
                        "dest_port": 1,
                        "log": 1
                },
         ]
{ "enabled": true, "name": "@rule[0]", "src": { "any": false, "zone": { "enabled": true, "name": "test1", "input": "drop", "output": "drop", "forward": "drop", "log": 1, "log_limit": { "invert": false, "val": "1/min", "rate": 1, "unit": "minute" }, "auto_helper": true, "counter": true, "network": [ ], "family": null, "match_rules": [ ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "drop": true }, "dflags": { "drop": true, "helper": true }, "match_devices": [ ], "match_subnets": [ ], "related_subnets": [ ], "related_physdevs": [ ] } }, "proto": { "invert": false, "val": "tcp", "name": "tcp" }, "dest_port": [ { "invert": false, "val": "1", "min": 1, "max": 1 } ], "counter": true, "log": "@rule[0]: ", "family": 0, "has_addrs": false, "has_ports": true, "saddrs_pos": null, "saddrs_neg": null, "saddrs_masked": null, "daddrs_pos": null, "daddrs_neg": null, "daddrs_masked": null, "sports_pos": null, "sports_neg": null, "dports_pos": [ "1" ], "dports_neg": null, "smacs_pos": null, "smacs_neg": null, "chain": "input_test1", "jump_chain": "null_from_test1" }
{ "enabled": true, "name": "@rule[0]", "src": { "any": false, "zone": { "enabled": true, "name": "test1", "input": "drop", "output": "drop", "forward": "drop", "log": 0, "log_limit": { "invert": false, "val": "1/min", "rate": 1, "unit": "minute" }, "auto_helper": true, "counter": true, "network": [ ], "family": null, "match_rules": [ ], "masq4_src_subnets": [ [ null, null, null ] ], "masq4_dest_subnets": [ [ null, null, null ] ], "masq6_src_subnets": [ [ null, null, null ] ], "masq6_dest_subnets": [ [ null, null, null ] ], "sflags": { "drop": true }, "dflags": { "drop": true, "helper": true }, "match_devices": [ ], "match_subnets": [ ], "related_subnets": [ ], "related_physdevs": [ ] } }, "proto": { "invert": false, "val": "tcp", "name": "tcp" }, "dest_port": [ { "invert": false, "val": "1", "min": 1, "max": 1 } ], "counter": true, "log": "@rule[0]: ", "family": 0, "has_addrs": false, "has_ports": true, "saddrs_pos": null, "saddrs_neg": null, "saddrs_masked": null, "daddrs_pos": null, "daddrs_neg": null, "daddrs_masked": null, "sports_pos": null, "sports_neg": null, "dports_pos": [ "1" ], "dports_neg": null, "smacs_pos": null, "smacs_neg": null, "chain": "input_test1" }
-               tcp dport 1 counter comment "!fw4: @rule[0]"
+               tcp dport 1 counter jump null_from_test1 comment "!fw4: @rule[0]"

                {
                        ".description": "Source any, dest test1, no log",
                        "proto": "tcp",
                        "src": "*",
                        "dest": "test1",
                        "dest_port": 6,
                        "log": 0
                },
table bridge fw4 {
        chain mangle_prerouting {
                type filter hook prerouting priority -150; policy accept;
                iifname "phy0-ap0" meta mark set 0x00000001
        }
}

openwrt / firewall4 Goto Github PK

firewall4's Introduction

Download

Development

Requirements

Quickstart

Related Repositories

Support Information

Documentation

Support Community

Developer Community

License

firewall4's People

Contributors

Stargazers

Watchers

Forkers

firewall4's Issues

Recommend Projects

Recommend Topics

Recommend Org